One of the issues I discuss most frequently in these days is attestation. I talk with vendors, with integrators, with auditors, and with end-users. Especially when talking with vendors, it appears to me that - again (I'll talk about that later) - frequently a light-weight solution is sold as the biggest thing since the invention of the wheel.

Why light-weight? Many of the offerings for attestation support only one level of attestation. That's not enough (see below).

Why again? That directly leads to the problems of many of today's attestation solutions. It is about the (often concealed) biggest shortcoming of most of today's provisioning solutions: They only provision partially. If a person "Martin Kuppinger" is new, there will be a identity for him. And there will be accounts like "MartinK" in the Active Directory. And "MartinK" might be assigned to the group "Finance". Done. At least for the provisioning system. And that system can even reconcile that "MartinK" isn't a member of "Finance" any more.

But: What is the group "Finance" allowed to do? That is defined by someone else. The administrator of the Windows environment - and sometimes several admins, because AD and different file servers are managed independently. What happens if some access control entries for "Finance" are changed? Some admins will know about that. But the guys responsible for the provisioning system? They will learn about that only if some well-organized manual processes are set up (or a system which tracks these changes). But at least the provisioning system won't know anything about that change.

With other words: There is a predetermined breaking point between the provisioning system and the system level. Interestingly, by far most of the end-users I've spoken with about that within the last few years haven't ever heard about that - neither from vendors nor from integrators.

You can complain that it isn't that easy to manage ACLs. Agreed. But then you have to address this issue in another way (by the way: The problem affects auditing as well - but it is easier to read all the details from the provisioned systems than to control them).

The way to address this is multi-layered attestation: The system administrators have to attest their systems. The "identity manager" have to attest what they are doing at the provisioning level. At the departmental level, there has to be an attestation of the correct assignment of business roles and so on. There might be more levels - but there will always be more than one level. Also the linkage between the layers has to be attested. Thus, attestation is far more complex than it is told today by some people.

For sure you can start at some level. But you should always be aware of the shortcomings - the most important one being that as long as you haven't implemented a consistent attestation approach from the business level down to the system level, you'll never know about potential access control problems in your systems.